Top X lists of misconfigurations and vulnerablities relating to Kubernetes, as well as aggregating more in depth resources, blogs, etc. from around The Internet. warning - 👽 this documentent is alive and is subject to change.

• @jpetazzo, @jessfraz, @raesene, @jbeda, @tallclair, @anapsix, @bradgeesaman

• kubesec.io
• Maya Kaczorowski - googleNext18 security journey slide
• Top 9 Kubernetes Setting You Should Check To Optimize Security
• CIS Center For Internet Security
• Hardening Linux Containers - NCC Group Whitepaper

0. Stay up to date with upstream Kubernetes, try not to fall more than 3 months behind.
1. Exposed Dashboard 😨
   • 😃 disable it
   • On Securing the Kubernetes Dashboard - Joe Beda
2. CAdvisor: insecure port
3. Misconfigured RBAC (vague, build out examples and links)
4. Allowing anon access --anonymous-auth allows for compromising cluster with the service token access
   • Kubernetes Attack Surface @raesene
5. Unauthenticated kubelet
6. Unauthenticate etcd
7. Mounts the docker socket, e.g. docker in docker
8. Your Pod is too strong 😨
   • Lock down your ``podSecurityPolicy` @tallclair
   • AppArmor to lock down capabilities.
     • Containers, Security, and Echo Chambers @jessfraz
9. Pods with containers running applications as "root"
10. Unencrypted etcd at rest
11. Not Protecting The Instance metadata in cloud providers like AWS and GCP

• Exploring The Security Of Helm bitnami (Tiller is too strong)

• Tesla Cloud Resources Are Hacked To Run Cyprtocurrenty-Mining Malware